Hello, yes:
root@xxxxxx:/var/log# netstat -tuna | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:514 0.0.0.0:*
<remote>
<connection>syslog</connection>
<allowed-ips>161.182.xxx.xxx</allowed-ips>
<allowed-ips>161.182.xxx.xxx</allowed-ips>
</remote>
On Tuesday, March 14, 2017 at 1:48:17 PM UTC-4, jose wrote:
>
> Hi, can you verify if the port it’s open?
>
> [root@wazuh-manager /]# netstat -tuna | grep 514
> udp 0 0 0.0.0.0:514 0.0.0.0:*
>
> The symantec ip is allowed in ossec.conf right?
>
>
>
> Regards
> -----------------------
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com <javascript:>
>
> On March 14, 2017 at 12:44:07 PM, eholl...@gmail.com <javascript:> (
> eholl...@gmail.com <javascript:>) wrote:
>
> It's very strange...I have enabled already enabled syslog over 514 from
> our symantec server to the OSSEC server, and I see the logs coming into our
> ELSA instance, but I have grep'd our syslog files, OSSEC archive and OSSEC
> alerts files and do not see the log anywhere on the server... Where should
> these logs be written when being sent to the server? I've checked all
> gzipped files in /var/log/ as well as all files in /var/ossec/logs/archive/
> and /var/ossec/logs/alerts/
>
> On Tuesday, March 14, 2017 at 11:44:36 AM UTC-4, jose wrote:
>>
>> Hello,
>>
>> In order to permit Ossec recibe your Symantec syslogs messages, you need
>> to enable this in the configuration:
>>
>> Listen in port 514:
>>
>> <ossec_config>
>> <remote>
>> <connection>syslog</connection>
>> <allowed-ips>Symantec AV ip</allowed-ips>
>> </remote>
>> </ossec_config>
>>
>> then you need to restart ossec:
>>
>> /var/ossec/bin/ossec-control restart
>>
>> If after these changes you are still not receiving alerts, enable logall
>> in ossec.conf <logall> yes </logall> and take a look in the file
>> “/var/ossec/logs/archives/archives.log”, if the logs are in this file, but
>> not in your alerts, probably the decoders or rules have something wrong.
>>
>>
>> Regards
>> -----------------------
>> Jose Luis Ruiz
>> Wazuh Inc.
>> jo...@wazuh.com
>>
>> On March 14, 2017 at 10:57:55 AM, eholl...@gmail.com (eholl...@gmail.com)
>> wrote:
>>
>> Hello All,
>>
>> I have pointed my Symantec AV logs to our OSSEC server via syslog over
>> port 514. I am seeing the logs come into ELSA, but not as OSSEC alerts. I
>> have created a custom decoder and parser, and can confirm that it is
>> working:
>>
>> **Phase 2: Completed decoding.
>> decoder: 'Symantec'
>>
>> **Phase 3: Completed filtering (rules).
>> Rule id: '100006'
>> Level: '7'
>> Description: 'Symantec: virus found'
>> **Alert to be generated.
>>
>> Do I need to point OSSEC to monitor the incoming syslog so that it can
>> alert on it? Again, I am seeing the straight syslog coming into ELSA, but
>> no OSSEC alert appears to be generated.
>>
>> Thanks
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
